feat(rls): move ackify_app role creation from init script to migrate tool

BREAKING CHANGE: ACKIFY_APP_PASSWORD environment variable is now required for RLS support. The migrate tool creates the ackify_app role before running migrations, ensuring compatibility with existing deployments.

Changes:
- Add ensureAppRole() in cmd/migrate to create/update ackify_app role
- Remove docker/init-scripts/01-create-app-user.sh (no longer needed)
- Update compose.yml: add ACKIFY_APP_PASSWORD, backend connects as ackify_app
- Update migration 0016: remove conditional role creation
- Add RLS documentation (docs/en/configuration/rls.md, docs/fr/configuration/rls.md)
- Update configuration docs with RLS section and security checklist

Migration path for existing deployments:
1. Set ACKIFY_APP_PASSWORD in .env
2. Run docker compose up (migrate will create the role automatically)

run-tests-suite.sh

@@ -144,6 +144,7 @@ else
             # Run migrations
             echo -e "${YELLOW}📝 Running database migrations...${NC}"
             export ACKIFY_DB_DSN="postgres://postgres:testpassword@localhost:5432/ackify_test?sslmode=disable"
+            export ACKIFY_APP_PASSWORD="ackifytestpassword"
             cd "$PROJECT_ROOT"
             if go run ./backend/cmd/migrate/main.go -migrations-path file://backend/migrations up; then
                 echo -e "${GREEN}✓ Migrations applied${NC}"